BGP FlowSpec

RASCOM is offering to their customers a set of tools protecting their networks against different types of attacks and the consequences thereof. The solution is based upon employing an extension of the BGP FlowSpec protocol that allows the customer to decrease dramatically the harmful effect of the attack on its network. In addition to that, the customer is given a series of tools for blocking-out the undesired traffic from RASCOMís network in order to avoid its propagation over the customerís own network: black-holing (BGP-blackhole community), on-demand control of traffic filtering at the customerís interface, customerís personal account for independent controlling the FlowSpec filtering rules, connecting to the BGP FlowSpec controller for automatic mode filtering, FlowSpec ruleís function statistics.

Technical implementation

At RASCOMís network, the protocol BGP FlowSpec (RFC5575) is fully introduced as an additional protection measure which allows to cut-off the traffic of those protocols and/or packet types that are not used at the customerís network and are used in DDoS attacks.

The attacking traffic filtration is effected on the circuit and hardware resources level of RASCOMís backbone network, immediately at all our backbone routers. The traffic as specified in the rules sent over the BGP FlowSpec, is either destroyed or rate-limited. The remaining traffic (that was not shown in the BGP FlowSpec rules) will be passed unaffected.

Service is available for following countries:

The Russian Federation
Czech Republic
The Great Britain
The Netherlands
Republic of China

Customerís personal account

To establish filtration rules, the customer is given a WEB-interface in its personal account for those customers who have no opportunity to send the BGP FlowSpec protocol rules from their respective networks as well as for those whose network does not use BGP routing.

Along with that, in the account, statistics of using the filtration rules is available which makes it possible to estimate the efficiency of the protection measures.

BGP blackhole

As an additional measure for fighting against the attacks, a standard mechanism such as BGP blackhole community is used, as well. The BGP-Blackholing mechanism (Destination-based RTBH) is implemented using bgp-community for prefixes /32. That is, upon detecting any harmful traffic (an attack) on a host (IP-address) on the customerís network, it is possible to announce over BGP to RASCOM the prefix of that host (/32) with a special blackhole-community 20764:6666, and the traffic toward the indicated host will be dropped at RASCOMís network border by all backbone routers.

Service Technical Support and ACL installation

Service Technical Support and ACL installation can be ordered by sending a message to RASCOMís NMC at: noc@rascom.ru (phone: +7-812-702-2500). It is possible to install a filter (ACL) basing upon src/dst ip/proto/port at the connecting interface.

BGP FlowSpec Service is available in every Point of Presence of RASCOMís IP network

bgp flowspec

Link to BGP FlowSpec Service Presentation

To request technical and commercial terms of providing services please contact RASCOM Sales Department: +7(812)303-91-70 or +7(495)748-11-00, or use the CONTACT FORM.